Skip to content

Commit

Permalink
fix(transport): disable automatic universe domain check (#2717)
Browse files Browse the repository at this point in the history
  • Loading branch information
quartzmo authored Aug 1, 2024
1 parent 88dca19 commit f5b0bb5
Show file tree
Hide file tree
Showing 5 changed files with 1 addition and 126 deletions.
11 changes: 0 additions & 11 deletions internal/creds.go
Original file line number Diff line number Diff line change
Expand Up @@ -302,14 +302,3 @@ func baseTransport() *http.Transport {
ExpectContinueTimeout: 1 * time.Second,
}
}

// ErrUniverseNotMatch composes an error string from the provided universe
// domain sources (DialSettings and Credentials, respectively).
func ErrUniverseNotMatch(settingsUD, credsUD string) error {
return fmt.Errorf(
"the configured universe domain (%q) does not match the universe "+
"domain found in the credentials (%q). If you haven't configured "+
"WithUniverseDomain explicitly, \"googleapis.com\" is the default",
settingsUD,
credsUD)
}
3 changes: 1 addition & 2 deletions internal/settings.go
Original file line number Diff line number Diff line change
Expand Up @@ -204,8 +204,7 @@ func (ds *DialSettings) IsUniverseDomainGDU() bool {
}

// GetUniverseDomain returns the default service domain for a given Cloud
// universe, from google.Credentials, for comparison with the value returned by
// (*DialSettings).GetUniverseDomain. This wrapper function should be removed
// universe, from google.Credentials. This wrapper function should be removed
// to close https://github.com/googleapis/google-api-go-client/issues/2399.
func GetUniverseDomain(creds *google.Credentials) (string, error) {
timer := time.NewTimer(time.Second)
Expand Down
11 changes: 0 additions & 11 deletions transport/grpc/dial.go
Original file line number Diff line number Diff line change
Expand Up @@ -296,17 +296,6 @@ func dial(ctx context.Context, insecure bool, o *internal.DialSettings) (*grpc.C
if err != nil {
return nil, err
}
if o.TokenSource == nil {
// We only validate non-tokensource creds, as TokenSource-based credentials
// don't propagate universe.
credsUniverseDomain, err := internal.GetUniverseDomain(creds)
if err != nil {
return nil, err
}
if o.GetUniverseDomain() != credsUniverseDomain {
return nil, internal.ErrUniverseNotMatch(o.GetUniverseDomain(), credsUniverseDomain)
}
}
grpcOpts = append(grpcOpts, grpc.WithPerRPCCredentials(grpcTokenSource{
TokenSource: oauth.TokenSource{TokenSource: creds.TokenSource},
quotaProject: internal.GetQuotaProject(creds, o.QuotaProject),
Expand Down
11 changes: 0 additions & 11 deletions transport/http/dial.go
Original file line number Diff line number Diff line change
Expand Up @@ -182,17 +182,6 @@ func newTransport(ctx context.Context, base http.RoundTripper, settings *interna
if err != nil {
return nil, err
}
if settings.TokenSource == nil {
// We only validate non-tokensource creds, as TokenSource-based credentials
// don't propagate universe.
credsUniverseDomain, err := internal.GetUniverseDomain(creds)
if err != nil {
return nil, err
}
if settings.GetUniverseDomain() != credsUniverseDomain {
return nil, internal.ErrUniverseNotMatch(settings.GetUniverseDomain(), credsUniverseDomain)
}
}
paramTransport.quotaProject = internal.GetQuotaProject(creds, settings.QuotaProject)
ts := creds.TokenSource
if settings.ImpersonationConfig == nil && settings.TokenSource != nil {
Expand Down
91 changes: 0 additions & 91 deletions transport/http/dial_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -7,12 +7,7 @@ package http
import (
"context"
"fmt"
"strings"
"testing"

"golang.org/x/oauth2"
"golang.org/x/oauth2/google"
"google.golang.org/api/option"
)

func TestNewClient(t *testing.T) {
Expand All @@ -31,89 +26,3 @@ func TestNewClient(t *testing.T) {
t.Fatalf("got %s, want: %s", got, want)
}
}

func TestNewClient_MismatchedUniverseChecks(t *testing.T) {
t.Setenv("GOOGLE_API_GO_EXPERIMENTAL_DISABLE_NEW_AUTH_LIB", "true")
rootTokenScope := "https://www.googleapis.com/auth/cloud-platform"
otherUniverse := "example.com"
defaultUniverse := "googleapis.com"
fakeCreds := `
{"type": "service_account",
"project_id": "some-project",
"universe_domain": "UNIVERSE"}`

// utility function to make a fake credential quickly
makeFakeCredF := func(universe string) option.ClientOption {
data := []byte(strings.ReplaceAll(fakeCreds, "UNIVERSE", universe))
creds, _ := google.CredentialsFromJSON(context.Background(), data, rootTokenScope)
return option.WithCredentials(creds)
}

testCases := []struct {
description string
opts []option.ClientOption
wantErr bool
}{
{
description: "default creds and no universe",
opts: []option.ClientOption{
option.WithCredentials(&google.Credentials{}),
},
wantErr: false,
},
{
description: "default creds and default universe",
opts: []option.ClientOption{
option.WithCredentials(&google.Credentials{}),
option.WithUniverseDomain(defaultUniverse),
},
wantErr: false,
},
{
description: "default creds and mismatched universe",
opts: []option.ClientOption{
option.WithCredentials(&google.Credentials{}),
option.WithUniverseDomain(otherUniverse),
},
wantErr: true,
},
{
description: "foreign universe creds and default universe",
opts: []option.ClientOption{
makeFakeCredF(otherUniverse),
option.WithUniverseDomain(defaultUniverse),
},
wantErr: true,
},
{
description: "foreign universe creds and foreign universe",
opts: []option.ClientOption{
makeFakeCredF(otherUniverse),
option.WithUniverseDomain(otherUniverse),
},
wantErr: false,
},
{
description: "tokensource + mismatched universe",
opts: []option.ClientOption{
option.WithTokenSource(oauth2.StaticTokenSource(&oauth2.Token{})),
option.WithUniverseDomain(otherUniverse),
},
wantErr: false,
},
}

for _, tc := range testCases {
opts := []option.ClientOption{
option.WithScopes(rootTokenScope),
}
opts = append(opts, tc.opts...)
_, _, gotErr := NewClient(context.Background(), opts...)
if tc.wantErr && gotErr == nil {
t.Errorf("%q: wanted error, got none", tc.description)
}
if !tc.wantErr && gotErr != nil {
t.Errorf("%q: wanted success, got err: %v", tc.description, gotErr)
}
}
}

0 comments on commit f5b0bb5

Please sign in to comment.